RADIUS (Remote Authentication Dial In User Service) is a protocol standardized by the IETF for carrying authentication information between an access point and a back-end authentication server. The RADIUS protocol is deployed by most Internet Service Providers and in enterprise wireless networks for managing scalable large networks with large number of subscribers. In this article, we explain how to use the tshark tool to capture authentication traffic between an access point and the RADIUS server. The captured traffic will then be used to get some basic statistics such as number of successful authentications and number of failed authentications.

In wireless network access control, the RADIUS protocol is used by wireless access points that support the 802.1X protocol to forward EAP messages between the wireless station and the back-end EAP server collocated with the RADIUS server. The Access point extracts EAP messages from 802.1X frames received from the wireless station and encapsulate them into RADIUS packets then send them to the back-end RADIUS server. The RADIUS server, after processing the EAP payload, generates an EAP message and sends it back to the wireless access point. The EAP payload is then encapsulated into an 802.1X frame and sent to the wireless station. The EAP exchange continues until an EAP-Success message is sent from the RADIUS server to the wireless access point.

Tshark is an open-source command line tool for dumping and analyzing network traffic It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.

Tshark is developed as part of the Wireshark project. On Debian-based systems, it can be installed using apt by simply typing

Large amount of traffic that corresponds to EAP authentication over RADIUS can be generated using the eapol_test utility from the wpa_supplicant project. The eapol_test must be compiled from source by typing

make eapol_test

To run generate traffic using eapol_test, we run the following script from a machine that can reach the RADIUS server.

The first step in analyzing network authentication performance, consists on capturing RADIUS traffic that transports EAP authentication exchanges. In order to do that, we need to run tshark on a host located between the wireless access points and the RADIUS server.

To instruct tshark to capture RADIUS traffic, we need to issue the following command :

tshark -f "udp port 1812" -i eth0 -w /tmp/capture.cap

The -f flag is used to specify a capture filter. Packets that do not verify the condition following the -f flag will not be captured.

The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to what ever your interface name is.

The -w flag is used to specify a file where the captured traffic will be saved for later processing.

The above output contains a lot of data about the RADIUS traffic that we captured, however, that kind of output is not very easy to interpret. Using simple tools such as wc, grep and awk, we can extract more useful statistical information. For example, the number of successful authentication can be easily computed as follows :